On December 14th Dominion Voting Systems issued a statement regarding last week’s discovery of a widespread cyber infiltration attack using Solarwind’s Orion IT platform. “Dominion Voting Systems does not now – nor has it ever – used the SolarWind’s Orion Platform, which was subject of the DHS emergency directive dated December 13, 2020 (Emergency Directive 21-01). This short statement doesn’t address the possibilities of Dominion being vulnerable to already infected systems when connected remotely or directly and exposed to the payloads or “projects” executed on compromised systems. Research has shown that once compromised the malware was capable of moving between machines on a system.
Cyber Security Consultant, FireEye published a research paper last week, detailing the worldwide cyber breach that may have affected the 2020 presidential elections, as well as infecting and compromising thousands of other government and government related systems.
The IT monitoring company, SolarWinds’ plug in ‘Orion’ has been found to contain a backdoor that communicates via HTTP to third party servers.
The FireEye research team found the cyber campaign to be “the work of a highly skilled actor and the operation was conducted with significant operational security.” Noting that “This campaign’s post compromise activity was conducted with a high regard for operational security, in many cases leveraging dedicated infrastructure per intrusion. This is some of the best operational security that FireEye has observed in a cyber attack, focusing on evasion and leveraging inherent trust.”
According to Krebs on Security, control over the domain has been transferred to Microsoft. Asked about the changeover, Microsoft referred questions to FireEye and to GoDaddy, the current domain name registrar for the malicious site.
FireEye responded that the domain seizure was part of a collaborative effort to prevent networks that may have been affected by the compromise from communicating with the attackers. What’s more, the company said the domain was reconfigured to act as a “killswitch” that would prevent the malware from continuing to operate in some circumstances.
After an initial dormant period of up to two weeks, the malware retrieves and executes commands, called “Jobs”, that include the ability to transfer files, execute files, profile the system, reboot the machine, and disable system services. The malware masquerades its network traffic as the Orion Improvement Program (OIP) protocol and stores reconnaissance results to blend in with legitimate SolarWinds activity. After gaining initial access, the group uses a variety of techniques to disguise their operations
FireEye detected this activity at multiple entities worldwide. The victims include government, consulting, technology, telecom and extractive entities in North America, Europe, Asia and the Middle East.
“We anticipate there are additional victims in other countries and verticals. FireEye has notified all entities we are aware of being affected.”
The actor sets the hostnames on their command and control infrastructure to match a legitimate hostname found within the victim’s environment. This allows the adversary to blend into the environment, avoid suspicion, and evade detection.
The attacker’s choice of IP addresses was also optimized to evade detection. The attacker primarily used only IP addresses originating from the same country as the victim, leveraging Virtual Private Servers.
Once the attacker gained access to the network with compromised credentials, they moved laterally using multiple different credentials. The credentials used for lateral movement were always different from those used for remote access.
Security researchers have been reporting their malware findings online, including a Chinese cyber-security group called RedDrip Team, described on Twitter as the “Technical Twitter of QiAnXin Technology”, who published a decode script on Github, saying its tool had identified nearly a hundred suspected victims of the breach, including universities, governments and high tech companies.